NEW changes in stable-new
Processing changes file: linux_6.1.64-1_source.changes ACCEPT
Bug#1057180: bullseye-pu: package mariadb-10.5 1:10.5.23-0+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu I propose that the latest version of MariaDB 10.5.23 be included in the oldstable release update of Debian. According to https://release.debian.org/ there is no planned point release for Bullseye at the moment. It is however still too new for LTS (https://wiki.debian.org/LTS). This might also go in as a security upload. Deciding on the urgency and upload channel is not coupled to the actual preparation of the upload, which I have in progress at https://salsa.debian.org/mariadb-team/mariadb-10.5/-/merge_requests/16 I am filing this bug report for tracking purposes. The final version and changelog and debdiff will be posted later.
Bug#1057179: bookworm-pu: package mariadb-10.6 1:10.11.6-0+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu I propose that the latest version of MariaDB 10.11.6 be included in the stable release update of Debian. I am filing this bug report for tracking purposes. The final version and changelog and debdiff will be posted later. Work-in-progress at https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/60
Bug#622947: per-maintainer insights into migrations and transitions
On Thu, 2023-11-30 at 14:14 +0100, Paul Gevers wrote: > The tracker has been doing this for years now. distro-tracker doesn't have per-maintainer pages at all and neither does the QA excuses page AFAICT. The DDPO kind of does, but doesn't list transitions etc. The DMD kind of does too, but also no transitions etc. So I suggest reopening this request. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Processed: transition: libsfml
Processing control commands: > affects -1 + src:libsfml Bug #1057175 [release.debian.org] transition: libsfml Added indication that 1057175 affects src:libsfml -- 1057175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057175 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1057175: transition: libsfml
Package: release.debian.org Control: affects -1 + src:libsfml X-Debbugs-Cc: libs...@packages.debian.org User: release.debian@packages.debian.org Usertags: transition Severity: normal Hi, libsfml needs a transition due to an ABI bump from 2.5 to 2.6. It's currently in experimental and built everywhere except mips64el where it's waiting to be built. The rdeps are: casparcg-server (in contrib) dolphin-emu extremetuxracer libcsfml marsshooter python-sfml seriousproton I did a test rebuild against 2.6 and everything builds on amd64 except for seriousproton which already FTBFS for other reasons and is not in testing. The auto-libsfml tracker looks correct to me. Thanks, James Ben file: title = "libsfml"; is_affected = .depends ~ "libsfml-audio2.5" | .depends ~ "libsfml-graphics2.5" | .depends ~ "libsfml-network2.5" | .depends ~ "libsfml-system2.5" | .depends ~ "libsfml-window2.5" | .depends ~ "libsfml-audio2.6" | .depends ~ "libsfml-graphics2.6" | .depends ~ "libsfml-network2.6" | .depends ~ "libsfml-system2.6" | .depends ~ "libsfml-window2.6"; is_good = .depends ~ "libsfml-audio2.6" | .depends ~ "libsfml-graphics2.6" | .depends ~ "libsfml-network2.6" | .depends ~ "libsfml-system2.6" | .depends ~ "libsfml-window2.6"; is_bad = .depends ~ "libsfml-audio2.5" | .depends ~ "libsfml-graphics2.5" | .depends ~ "libsfml-network2.5" | .depends ~ "libsfml-system2.5" | .depends ~ "libsfml-window2.5";
Bug#1054100: bullseye-pu: package iotop-c/1.23-1
On Wed, 2023-11-29 at 22:17 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Tue, 2023-10-17 at 02:03 +, Boian Bonev wrote: > > [ Reason ] > > This update fixes 3 bugs in iotop-c: > > - the program will busy loop after pressing ESC key, eating 100% on > > one core > > - pseudo graphs in ASCII mode display incorrect/garbage values > > - the logic behind showing only IO active processes incorrectly hides > > active ones > > Please go ahead. Uploaded, thanks! With best regards, b.
Bug#994540: marked as done (transition: imagemagick)
Your message dated Thu, 30 Nov 2023 22:08:17 +0100 with message-id and subject line Re: Bug#994540: transition: imagemagick has caused the Debian Bug report #994540, regarding transition: imagemagick to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 994540: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994540 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Imagemagick changes some internal structures. Upstream bump so (safe), so ask for a rebuilt. Ben file: title = "imagemagick"; is_affected = .depends ~ "(?:libmagickcore-6.q[^-]+-6|libmagickwand-6.q[^-]+-6|libmagick++-6.q[^-]+-8)" | .depends ~ "(?:libmagickcore-6.q[^-]+-7|libmagickwand-6.q[^-]+-7|libmagick++-6.q[^-]+-9)"; is_good = .depends ~ "(?:libmagickcore-6.q[^-]+-7|libmagickwand-6.q[^-]+-7|libmagick++-6.q[^-]+-9)"; is_bad = .depends ~ "(?:libmagickcore-6.q[^-]+-6|libmagickwand-6.q[^-]+-6|libmagick++-6.q[^-]+-8)"; --- End Message --- --- Begin Message --- On 2023-01-08 19:24:27 +0100, Sebastian Ramacher wrote: > Control: tags -1 = moreinfo > > On 2022-11-10 23:08:27 +0100, Sebastian Ramacher wrote: > > On 2022-09-03 15:59:44 +0200, Sebastian Ramacher wrote: > > > Control: tags -1 confirmed > > > > > > On 2022-07-15 14:03:24 +0200, Johannes Schauer Marin Rodrigues wrote: > > > > Hi Sebastian, > > > > > > > > Quoting Sebastian Ramacher (2022-07-13 22:52:52) > > > > > On 2021-09-29 10:38:07 +0200, jo...@mister-muffin.de wrote: > > > > > > > Do all reverse dependencies build fine with the new Imagemagick > > > > > > > version? > > > > > > > If not, have bugs been filed? > > > > > > > > > > > > I have rebuilt all 399 source packages that have at least one > > > > > > binary produced > > > > > > by src:imagemagick in their build dependency installation closure. > > > > > > Of those, 16 > > > > > > packages FTBFS with the imagemagick version form experimental but > > > > > > succeed with > > > > > > the version from unstable. Of those, only one package (src:wand) is > > > > > > in the list > > > > > > from > > > > > > https://release.debian.org/transitions/html/auto-imagemagick.html I > > > > > > filed > > > > > > this failure as #995290 and will investigate the other 15 instances > > > > > > as well. > > > > > > But since those source packages are not part of the transition, > > > > > > they should > > > > > > probably not block this bug. > > > > > > > > > > This transition completly dropped off my radar, sorry! > > > > > > > > > > What's the current status of the preparations? Have the bugs been > > > > > filed? > > > > > > > > we had one build failure in src:wand which I fixed in imagemagick > > > > upload of > > > > 8:6.9.12.20+dfsg1-1.2 to experimental. See also #995290 > > > > > > Please go ahead > > > > This upload did not happen. Was the status here? > > Let's postpone this transition to trixie. Please remove the moreinfo tag > once you are ready to start the transition after the release of > bookworm. And it's finally done. The old packages were removed from testing. Cheers -- Sebastian Ramacher--- End Message ---
Bug#1056961: marked as done (transition: limesuite)
Your message dated Thu, 30 Nov 2023 22:09:05 +0100 with message-id and subject line Re: Bug#1056961: transition: limesuite has caused the Debian Bug report #1056961, regarding transition: limesuite to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1056961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056961 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: limesu...@packages.debian.org Control: affects -1 + src:limesuite Hi, I'm sorry that I rushed that with neglecting to ask for coordination - perhaps the Cambridge Minidebconf was too exciting and I just uploaded. Anyway: There is a new limesuite version in unstable, and the 3 reverse-deps need binnmus "Rebuild against limesuite 23.11.": gr-limesdr indi-limesdr osmo-trx https://release.debian.org/transitions/html/auto-limesuite.html Thanks, Christoph --- End Message --- --- Begin Message --- On 2023-11-27 10:51:46 +0100, Christoph Berg wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > X-Debbugs-Cc: limesu...@packages.debian.org > Control: affects -1 + src:limesuite > > Hi, > > I'm sorry that I rushed that with neglecting to ask for coordination - > perhaps the Cambridge Minidebconf was too exciting and I just > uploaded. Anyway: > > There is a new limesuite version in unstable, and the 3 reverse-deps > need binnmus "Rebuild against limesuite 23.11.": The old binaries got removed from testing. Cheers -- Sebastian Ramacher--- End Message ---
Bug#1056308: marked as done (transition: wireshark)
Your message dated Thu, 30 Nov 2023 22:09:37 +0100 with message-id and subject line Re: Bug#1056308: transition: wireshark has caused the Debian Bug report #1056308, regarding transition: wireshark to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1056308: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056308 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release Team, I'd like to update wireshark in unstable. The only reverse dependency to be rebuilt is libvirt [1]. Libvirt fails to rebuild for me locally on an Ubuntu system in an unstable schroot environment with and without wireshark with the same test error: ... --- stderr --- TEST: virnetsockettest Cannot identify IPv4/6 availability ... Summary of Failures: 124/173 libvirt:bin / virnetsockettestFAIL 0.05s exit status 1 Ok: 171 Expected Fail: 0 Fail: 1 Unexpected Pass:0 Skipped:1 Timeout:0 ... I believe libvirt will build fine with the updated wireshark package on the buildds. Thank you, Balint [1] https://release.debian.org/transitions/html/auto-wireshark.html --- End Message --- --- Begin Message --- On 2023-11-23 09:20:34 +0100, Sebastian Ramacher wrote: > Control: tags -1 confirmed > > On 2023-11-20 11:37:49 +0100, Bálint Réczey wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > Dear Release Team, > > > > I'd like to update wireshark in unstable. The only reverse dependency to be > > rebuilt is libvirt [1]. > > Please go ahead. The old binaries got removed from testing. Closing. Cheers -- Sebastian Ramacher--- End Message ---
Processed: bookworm-pu: package gnome-characters/43.1-1+deb12u1
Processing control commands: > affects -1 + src:gnome-characters Bug #1057159 [release.debian.org] bookworm-pu: package gnome-characters/43.1-1+deb12u1 Added indication that 1057159 affects src:gnome-characters -- 1057159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057159 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1057157: bookworm-pu: package spyder/5.4.2+ds-5+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: spy...@packages.debian.org, Samuel Thibault Control: affects -1 + src:spyder [ Reason ] This is a patch for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054475 This bug prevents auto-detection of the environment language (using the Python locale.getdefaultlocale() function) when Spyder is first run. After that, Spyder saves the language and uses that saved value for future use; this setting can be changed in the Spyder preferences. The upstream patch fixes the error that caused this bug by updating the list of available translations. The Debian bug was filed as "normal" severity. It should probably be "important", but I have not changed the severity. (It is definitely not more that "important", as the language can still be changed by the user after Spyder has started in English.) The reporter specifically suggested that this should be fixed in stable, and with such a simple patch, I tend to agree. The patch I have used is the complete upstream patch, minus a minor tweak to some function documentation. This is a little larger than the proposed patch in the Debian bug report, but it protects against any other oversight in the list of translations. [ Impact ] When starting Spyder for the first time in a non-English locale, the interface will be in English rather than the locale language, even if a translation for that locale is provided by Spyder. [ Tests ] It appears that there are no tests for this piece of code (hence why this bug was not caught automatically). The package's autopkgtest suite still passes, and the updated package has been manually tested on a bookworm system to ensure that it no longer has this bug. [ Risks ] There seem to be few risks with this minor patch. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] See the patch: it fixes the list of available translations and no longer defaults to English if the list of translations is out of date. [ Other info ] I have not yet uploaded the new version to ftp-master.d.o; I await your approval before doing so. diff -Nru spyder-5.4.2+ds/debian/changelog spyder-5.4.2+ds/debian/changelog --- spyder-5.4.2+ds/debian/changelog2023-02-23 10:59:49.0 + +++ spyder-5.4.2+ds/debian/changelog2023-11-30 20:22:17.0 + @@ -1,3 +1,9 @@ +spyder (5.4.2+ds-5+deb12u1) stable; urgency=medium + + * Fix interface language auto-configuration (closes: #1054475) + + -- Julian Gilbey Thu, 30 Nov 2023 20:22:17 + + spyder (5.4.2+ds-5) unstable; urgency=medium * Fix translation-loading patch (see discussion at diff -Nru spyder-5.4.2+ds/debian/patches/enable-i18n.patch spyder-5.4.2+ds/debian/patches/enable-i18n.patch --- spyder-5.4.2+ds/debian/patches/enable-i18n.patch1970-01-01 01:00:00.0 +0100 +++ spyder-5.4.2+ds/debian/patches/enable-i18n.patch2023-11-30 20:22:17.0 + @@ -0,0 +1,76 @@ +From: Carlos Cordoba +Date: Thu, 26 Oct 2023 13:52:55 -0500 +Subject: [PATCH] Backport PR #21451: Fix interface language auto-configuration +Description: + Commit 7d99df57dc977ee00d92c959102409be1683df24 + This bug prevented auto-configuration of the interface language when + Spyder is started for the first time. (After that, the interface language + is stored in the preferences file and can be changed via the preferences + dialog.) + A minor cosmetic fix to the function documentation has been removed from + this patch. +Last-Update: 2023-11-30 +Origin: upstream, https://github.com/spyder-ide/spyder/pull/21461 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054475 + +--- a/spyder/config/base.py b/spyder/config/base.py +@@ -366,20 +366,24 @@ + # This needs to be updated every time a new language is added to spyder, and is + # used by the Preferences configuration to populate the Language QComboBox + LANGUAGE_CODES = { +-'en': u'English', +-'fr': u'Français', +-'es': u'Español', +-'hu': u'Magyar', +-'pt_BR': u'Português', +-'ru': u'Русский', +-'zh_CN': u'简体中文', +-'ja': u'日本語', +-'de': u'Deutsch', +-'pl': u'Polski' ++'en': 'English', ++'fr': 'Français', ++'es': 'Español', ++'hu': 'Magyar', ++'pt_BR': 'Português', ++'ru': 'Русский', ++'zh_CN': '简体中文', ++'ja': '日本語', ++'de': 'Deutsch', ++'pl': 'Polski', ++'fa': 'Persian', ++'hr': 'Croatian', ++'te': 'Telugu', ++'uk': 'Ukrainian', + } + + # Disabled languages because their translations are outdated or incomplete +-DISABLED_LANGUAGES = ['hu', 'pl'] ++DISABLED_LANGUAGES = ['fa', 'hr', 'hu', 'pl', 'te', 'uk'] + + + def get_available_translations(): +@@ -400,14 +404,19 @@ + + # Check that there is a language code avai
Processed: bookworm-pu: package spyder/5.4.2+ds-5+deb12u1
Processing control commands: > affects -1 + src:spyder Bug #1057157 [release.debian.org] bookworm-pu: package spyder/5.4.2+ds-5+deb12u1 Added indication that 1057157 affects src:spyder -- 1057157: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057157 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bookworm-pu: package fonts-noto-color-emoji/2.042-0+deb12u1
Processing control commands: > affects -1 + src:fonts-noto-color-emoji Bug #1057156 [release.debian.org] bookworm-pu: package fonts-noto-color-emoji/2.042-0+deb12u1 Added indication that 1057156 affects src:fonts-noto-color-emoji -- 1057156: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057156 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 1056521
Processing commands for cont...@bugs.debian.org: > # typoed the comment file so this was not automatically done > tags 1056521 = bookworm pending Bug #1056521 [release.debian.org] bookworm-pu: package qbittorrent/4.5.2-3 Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 1056521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056521 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1055611: bookworm-pu: package oscrypto/1.3.0-1+deb12u1
Control: tags -1 + confirmed On Wed, 2023-11-08 at 22:06 +0100, Santiago Vila wrote: > This upload fixes FTBFS bug #1033822 in stable. > It fixes also the autopkgtests, which are currently broken in stable. Please go ahead. Regards, Adam
Processed: Re: Bug#1055611: bookworm-pu: package oscrypto/1.3.0-1+deb12u1
Processing control commands: > tags -1 + confirmed Bug #1055611 [release.debian.org] bookworm-pu: package oscrypto/1.3.0-1+deb12u1 Added tag(s) confirmed. -- 1055611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055611 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1055539: bookworm-pu: package opensc/0.23.0-0.3+deb12u1
Processing control commands: > tags -1 + confirmed Bug #1055539 [release.debian.org] bookworm-pu: package opensc/0.23.0-0.3+deb12u1 Added tag(s) confirmed. -- 1055539: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055539 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1055539: bookworm-pu: package opensc/0.23.0-0.3+deb12u1
Control: tags -1 + confirmed On Wed, 2023-11-08 at 02:15 +0100, Bastian Germann wrote: > opensc in bookworm is vulnerable for CVE-2023-4535, CVE-2023-40660, > CVE-2023-40661. Please go ahead. Regards, Adam
Processed: Re: Bug#1055419: bookworm-pu: package pcs/0.11.5-1+deb12u1
Processing control commands: > tags -1 + confirmed Bug #1055419 [release.debian.org] bookworm-pu: package pcs/0.11.5-1+deb12u1 Added tag(s) confirmed. -- 1055419: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055419 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1055350: bookworm-pu: package exfatprogs/1.2.0-1+deb12u1
Processing control commands: > tags -1 + confirmed Bug #1055350 [release.debian.org] bookworm-pu: package exfatprogs/1.2.0-1+deb12u1 Added tag(s) confirmed. -- 1055350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055350 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1055350: bookworm-pu: package exfatprogs/1.2.0-1+deb12u1
Control: tags -1 + confirmed On Sat, 2023-11-04 at 18:05 +0100, Sven Hoexter wrote: > https://security-tracker.debian.org/tracker/CVE-2023-45897 > Low priority security issue, out-of-bounds memory access > in the exFAT fsck utility exfat2img helper. Please go ahead. Regards, Adam
Bug#1055419: bookworm-pu: package pcs/0.11.5-1+deb12u1
Control: tags -1 + confirmed On Sun, 2023-11-05 at 17:16 +0100, Valentin Vidic wrote: > Running the 'crm resource move' command results in a Python > stack trace due to missing arguments in a function call. The > bug was introduced in version 0.11.5 and fixed upstream in > 0.11.6. Please go ahead. Regards, Adam
Processed: Re: Bug#1055248: bookworm-pu: pipewire/0.3.65-3+deb12u1
Processing control commands: > tags -1 + confirmed Bug #1055248 [release.debian.org] bookworm-pu: pipewire/0.3.65-3+deb12u1 Added tag(s) confirmed. -- 1055248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055248 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1055248: bookworm-pu: pipewire/0.3.65-3+deb12u1
Control: tags -1 + confirmed On Thu, 2023-11-02 at 21:02 +0100, Dylan Aïssi wrote: > Fix memory leak in pipewire-pulse #1015915. Please go ahead. Regards, Adam
Processed: Re: Bug#1055229: bookworm-pu: package redis/5:7.0.11-1+deb12u1
Processing control commands: > tags -1 + confirmed Bug #1055229 [release.debian.org] bookworm-pu: package redis/5:7.0.11-1+deb12u1 Added tag(s) confirmed. -- 1055229: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055229 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1055229: bookworm-pu: package redis/5:7.0.11-1+deb12u1
Control: tags -1 + confirmed On Thu, 2023-11-02 at 10:27 -0400, Chris Lamb wrote: > redis (5:7.0.11-1+deb12u1) bookworm; urgency=medium > . > * Drop ProcSubset=pid hardening flag from the systemd unit files > it causes > difficult-to-reproduce crashes with memory allocation errors. A > big thanks > to Arnaud Rebillout for the extensive > investigation. > (Closes: #1055039) > * Update debian/gbp.conf for the debian/bookworm branch. > Please go ahead. Regards, Adam
NEW changes in stable-new
Processing changes file: perl_5.36.0-7+deb12u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: qbittorrent_4.5.2-3+deb12u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: systemd_252.19-1~deb12u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: opendkim_2.11.0~beta2-8+deb12u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: unadf_0.7.11a-5+deb12u1_mipsel-buildd.changes ACCEPT
Processed (with 1 error): fix meta info
Processing commands for cont...@bugs.debian.org: > severity 1042978 normal Bug #1042978 [release.debian.org] Tests invalid package upgrades Severity set to 'normal' from 'serious' > user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was elb...@debian.org). > usertag 1042978 britney There were no usertags set. Usertags are now: britney. > title 1042978 britney: sometimes triggers wrong tests for linux Unknown command or malformed arguments to command. > thanks Stopping processing here. Please contact me if you need assistance. -- 1042978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: release.debian.org: provide a dd-list in the transition tracker
Processing control commands: > reassign -1 ben Bug #636342 [release.debian.org] release.debian.org: provide a dd-list in the transition tracker Bug reassigned from package 'release.debian.org' to 'ben'. Ignoring request to alter found versions of bug #636342 to the same values previously set Ignoring request to alter fixed versions of bug #636342 to the same values previously set -- 636342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=636342 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#636342: release.debian.org: provide a dd-list in the transition tracker
Control: reassign -1 ben Hi, On Tue, 02 Aug 2011 13:54:23 +0200 Yves-Alexis Perez wrote: Package: release.debian.org Severity: wishlist looking at the libnotify transition, I can see that I'm involved in quite some packages, but as there are a lot of packages in total, it can be easy to miss one. I thought it could be nice to have a dd-list (or similar) of the relevant packaqes, so one could quickly see if he needs to take action or not. Usually there are transition bugs against packages when the maintainer needs to do something. But for the cases where the maintainer has to refrain himself to upload something, having an idea of who's concerned can be useful. The binary that provides our transition tracker is ben, reassigning. Another idea would be to send mail to maintainers when transition is set up in the tracker. Hmm, most trackers are (auto) set up months before the transition starts. I'm not sure if it's hard or not and if it's really worth the work, but I was asked to report it more formally than on #debian-release so here we are :) At the time, ben didn't even exist (at least not in the archive) ... Paul OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#622947: marked as done (per-maintainer insights into migrations and transitions)
Your message dated Thu, 30 Nov 2023 14:14:32 +0100 with message-id <88e55e95-336d-4204-9430-e93988639...@debian.org> and subject line Re: per-maintainer insights into migrations and transitions has caused the Debian Bug report #622947, regarding per-maintainer insights into migrations and transitions to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 622947: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622947 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: wishlist It would be nice to be able to easily find out: * which of the packages I am responsible for haven't yet migrated to testing after the 10/5/2 day period and why * which of the packages I am responsible for are involved in current transitions * which of the packages I am responsible for are involved in a specific transition -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part --- End Message --- --- Begin Message --- Hi, On Sat, 16 Apr 2011 12:49:45 +0800 Paul Wise wrote: It would be nice to be able to easily find out: * which of the packages I am responsible for haven't yet migrated to testing after the 10/5/2 day period and why * which of the packages I am responsible for are involved in current transitions * which of the packages I am responsible for are involved in a specific transition The tracker has been doing this for years now. Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#601730: marked as done (release.debian.org: please merge graphs and data of number of packages in testing/trying to get in by corsac)
Your message dated Thu, 30 Nov 2023 14:10:21 +0100 with message-id and subject line Re: release.debian.org: please merge graphs and data of number of packages in testing/trying to get in by corsac has caused the Debian Bug report #601730, regarding release.debian.org: please merge graphs and data of number of packages in testing/trying to get in by corsac to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 601730: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601730 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: wishlist X-Debbugs-CC: Yves-Alexis Perez Please merge the scripts and data for these graphs into release.d.o: http://molly.corsac.net/~corsac/debian/testing/ http://molly.corsac.net/~corsac/debian/testing/testing.py I guess you will have to contact corsac to get access to the data. -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part --- End Message --- --- Begin Message --- Control: tags -1 wontfix Hi, On Fri, 29 Oct 2010 10:21:13 +0800 Paul Wise wrote: Please merge the scripts and data for these graphs into release.d.o: http://molly.corsac.net/~corsac/debian/testing/ http://molly.corsac.net/~corsac/debian/testing/testing.py I guess you will have to contact corsac to get access to the data. The service the script was based on has been removed several years ago and the graphs haven't seen an update. I'm closing this bug now as the current script is not ready to be used and I don't see us generating something soon ourselves. I guess patches welcome though if they seem maintainable. Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
NEW changes in stable-new
Processing changes file: qbittorrent_4.5.2-3+deb12u1_mips64el-buildd.changes ACCEPT
Bug#742329: marked as done (use softer colours for architecture qualification page)
Your message dated Thu, 30 Nov 2023 13:38:42 +0100 with message-id <7b3ec132-f52c-45e0-be52-971368dbc...@debian.org> and subject line Re: use softer colours for architecture qualification page has caused the Debian Bug report #742329, regarding use softer colours for architecture qualification page to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 742329: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742329 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: minor Tags: patch Attached patch uses softer colours which are easier on the eye for the architecture qualification page. >From 3932bb06d69557a5d05efbf50459d9b7b9b5cccf Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Sat, 22 Mar 2014 14:39:18 +0100 Subject: [PATCH] Use less hard colours to reduce eyebleedage. --- www/jessie/arch_qualify.py |8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/www/jessie/arch_qualify.py b/www/jessie/arch_qualify.py index 0e56ead..9ffa0ee 100644 --- a/www/jessie/arch_qualify.py +++ b/www/jessie/arch_qualify.py @@ -18,9 +18,9 @@ from collections import OrderedDict ### formatting helpers -def FAIL(value): return ("red",value) -def WARN(value): return ("yellow",value) -def PASS(value): return ("lime",value) +def FAIL(value): return ("#e87272",value) +def WARN(value): return ("#ccff66",value) +def PASS(value): return ("#60e760",value) def c_truth(value): if value == True or value == "yes": @@ -152,7 +152,7 @@ def dump_table(info,waivers): w = waivers.get(arch,{}).get(c,None) if w: -col="cyan" +col="#00" contents += ' (w)' % (w) if col=="red": -- 1.7.10.4 --- End Message --- --- Begin Message --- Hi Thijs, On Sat, 22 Mar 2014 15:11:54 +0100 Thijs Kinkhorst wrote: Package: release.debian.org Severity: minor Tags: patch Attached patch uses softer colours which are easier on the eye for the architecture qualification page. Thanks, applied (after a much too long time). Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#1057137: bullseye-pu: package gnutls28/3.7.1-5+deb11u4
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Control: affects -1 + src:gnutls28 Hello, I would like to fix CVE-2023-5981 / GNUTLS-SA-2023-10-23 for oldstable (no DSA forthcoming, to fixed by stable update.) The patch is cherrypicked from upstream 3.8.2 release. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.7.1/debian/changelog gnutls28-3.7.1/debian/changelog --- gnutls28-3.7.1/debian/changelog 2023-02-12 13:59:45.0 +0100 +++ gnutls28-3.7.1/debian/changelog 2023-11-30 11:37:44.0 +0100 @@ -1,3 +1,10 @@ +gnutls28 (3.7.1-5+deb11u4) bullseye; urgency=medium + + * Backport fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23 (timing sidechannel +in RSA-PSK key exchange) from 3.8.2. Closes: #1056188 + + -- Andreas Metzler Thu, 30 Nov 2023 11:37:44 +0100 + gnutls28 (3.7.1-5+deb11u3) bullseye-security; urgency=high * Fix timing sidechannel vulnerability in RSA decryption. diff -Nru gnutls28-3.7.1/debian/patches/62-auth-rsa_psk-side-step-potential-side-channel.patch gnutls28-3.7.1/debian/patches/62-auth-rsa_psk-side-step-potential-side-channel.patch --- gnutls28-3.7.1/debian/patches/62-auth-rsa_psk-side-step-potential-side-channel.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.7.1/debian/patches/62-auth-rsa_psk-side-step-potential-side-channel.patch 2023-11-30 11:37:44.0 +0100 @@ -0,0 +1,229 @@ +From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 23 Oct 2023 09:26:57 +0900 +Subject: [PATCH] auth/rsa_psk: side-step potential side-channel + +This removes branching that depends on secret data, porting changes +for regular RSA key exchange from +4804febddc2ed958e5ae774de2a8f85edeeff538 and +80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the +allow_wrong_pms as it was used sorely to control debug output +depending on the branching. + +Signed-off-by: Daiki Ueno +--- + lib/auth/rsa.c | 2 +- + lib/auth/rsa_psk.c | 90 ++ + lib/gnutls_int.h | 4 --- + lib/priority.c | 1 - + 4 files changed, 35 insertions(+), 62 deletions(-) + +--- a/lib/auth/rsa.c b/lib/auth/rsa.c +@@ -205,11 +205,11 @@ proc_rsa_client_kx(gnutls_session_t sess + gnutls_privkey_decrypt_data2(session->internals.selected_key, + 0, &ciphertext, session->key.key.data, + session->key.key.size); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +- * channel that can be used as an oracle, so treat very carefully */ ++ * channel that can be used as an oracle, so tread carefully */ + + /* Error handling logic: + * In case decryption fails then don't inform the peer. Just use the + * random key previously generated. (in order to avoid attack against + * pkcs-1 formatting). +--- a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c +@@ -262,18 +262,17 @@ static int + _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + size_t _data_size) + { + gnutls_datum_t username; + psk_auth_info_t info; +- gnutls_datum_t plaintext; + gnutls_datum_t ciphertext; + gnutls_datum_t pwd_psk = { NULL, 0 }; + int ret, dsize; +- int randomize_key = 0; + ssize_t data_size = _data_size; + gnutls_psk_server_credentials_t cred; + gnutls_datum_t premaster_secret = { NULL, 0 }; ++ volatile uint8_t ver_maj, ver_min; + + cred = (gnutls_psk_server_credentials_t) + _gnutls_get_cred(session, GNUTLS_CRD_PSK); + + if (cred == NULL) { +@@ -325,75 +324,53 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + ciphertext.size = dsize; + +- ret = +- gnutls_privkey_decrypt_data(session->internals.selected_key, 0, +- &ciphertext, &plaintext); +- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) { +- /* In case decryption fails then don't inform +- * the peer. Just use a random key. (in order to avoid +- * attack against pkcs-1 formatting). +- */ +- gnutls_assert(); +- _gnutls_debug_log +- ("auth_rsa_psk: Possible PKCS #1 format attack\n"); +- if (ret >= 0) { +- gnutls_free(plaintext.data); +- } +- randomize_key = 1; +- } else { +- /* If the secret was properly formatted, then +- * check the version number. +- */ +- if (_gnutls_get_adv_version_major(session) != +- plaintext.data[0] +- || (session->internals.allow_wrong_pms == 0 +- && _gnutls_get_adv_version_minor(session) != +- plaintext.data[1])) { +- /* No error is returned here, if the version number check
Processed: bullseye-pu: package gnutls28/3.7.1-5+deb11u4
Processing control commands: > affects -1 + src:gnutls28 Bug #1057137 [release.debian.org] bullseye-pu: package gnutls28/3.7.1-5+deb11u4 Added indication that 1057137 affects src:gnutls28 -- 1057137: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057137 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: perl_5.36.0-7+deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: unadf_0.7.11a-5+deb12u1_mips64el-buildd.changes ACCEPT
Bug#1055085: waiting for 3.12.1
wait until 3.12.1 is in the archive. 3.12.0+ isn't well handled as a version by some third party libraries.
Bug#1056307: bookworm-pu: package lastpass-cli/1.3.7-1+deb12u1
Adam D. Barratt wrote: > The version for a backport needs to be 1.3.7-1~deb12u1, so as to be > lower than the original upload. > > With that change, please go ahead. Uploaded with the corrected version number. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Bug#796476: ftp.debian.org: valid-until for stable
Hi, On Thu, 19 May 2016 10:03:49 +0200 Julien Cristau wrote: On Sat, Aug 22, 2015 at 01:28:22 +0200, Raphael Geissert wrote: > Nowadays the Release files for the *stable releases do not have a > Valid-Until field. > >From a security POV, this could allow a replay attack to be performed > on the main stable repositories, which could prevent a user from > getting some security updates. > > Would it be possible to have such a valid-until field with a duration > of, say, four months? > Given the trend of doing point updates every few months, the date > could be renewed only at point release time. I think it would have to be 6 months, at which point I don't see that it buys you much in the way of security, and it breaks archive.debian.org further. So I'm not wild about that idea. So, shall be close (wontfix) this bug report? Or have insights changed in those 7 years in between? Paul OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#951209: marked as done (nmu: libgusb and co)
Your message dated Thu, 30 Nov 2023 10:43:30 +0100 with message-id <6a7bb57e-aa3b-49b8-9b79-6f2b3c701...@debian.org> and subject line Re: transition: libgusb has caused the Debian Bug report #951209, regarding nmu: libgusb and co to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 951209: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951209 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello, libgusb is carrying in debian a patch[0] to revert/fix an after the fact change that was done upstream in the versioning of the symbols. I don't think we should/can carry this patch forever and due to the fact that the number of reverse-dependencies is quite limited, I was planning to simply drop it, but that would require to binNMU them to be certain they are using the correct version of the symbol. r-deps are: colord colorhug-client fwupd gnome-multi-writer simple-scan I quickly tested and among of these, only fwupd seems impacted. I updated the .symbols file of libgusb2 so the symbols affcted by this version change will generate a dependency against the lastest version of the library. Could you please give me the greenlight to upload the new version of libgusb and then schedule a binNMU of fwupd (or all the rdeps if you prefere) Kind regards, Laurent Bigonville [0] https://salsa.debian.org/debian/libgusb/blob/master/debian/patches/revert-versioning.patch -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy --- End Message --- --- Begin Message --- Hi, On Wed, 12 Feb 2020 15:24:42 +0100 Laurent Bigonville wrote: libgusb is carrying in debian a patch[0] to revert/fix an after the fact change that was done upstream in the versioning of the symbols. I don't think we should/can carry this patch forever and due to the fact that the number of reverse-dependencies is quite limited, I was planning to simply drop it, but that would require to binNMU them to be certain they are using the correct version of the symbol. Reading the changelog, I think this bug is no longer relevant. Please reopen if I made a mistake, but please elaborate what the plan is. Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#1050113: marked as done (unblock: rust-rustls-webpki/0.101.3-1.1)
Your message dated Thu, 30 Nov 2023 10:36:19 +0100 with message-id <0e66a837-b288-420c-acfa-9b7264ce8...@debian.org> and subject line Re: Bug#1050113: unblock: rust-rustls-webpki/0.101.3-1.1 has caused the Debian Bug report #1050113, regarding unblock: rust-rustls-webpki/0.101.3-1.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1050113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050113 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package rust-rustls-webpki The package is blocked by autopkgtest failures on ppc64el and s390x. The reason for these failures is that the package (which is arch all) is not installable on these architectures because it depends on the ring crate which is not currently portable. Please can you override these failures and allow the package to migrate to testing. -- System Information: Debian Release: 10.11 APT prefers oldoldstable-updates APT policy: (500, 'oldoldstable-updates'), (500, 'oldoldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386, arm64 Kernel: Linux 4.19.0-18-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled --- End Message --- --- Begin Message --- Hi, On Thu, 31 Aug 2023 21:18:14 +0100 Peter Michael Green wrote: Testing migration was unfortunately interrupted by a security bug. then some follow-up issues with the new upstream version uploaded to fix the security bug. Can you update the hint to 0.101.4-4? The version in testing and unstable are in sync, closing this bug. Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#1057089: bullseye-pu: package usrmerge/37~deb12u1
On Nov 29, Andreas Beckmann wrote: > Improve the usrmerge experience in bookworm. Great idea, thank you for working on this! -- ciao, Marco signature.asc Description: PGP signature
Processed: bookworm-pu: package debian-edu-fai/2023.11.19.1~deb12u1
Processing control commands: > affects -1 + src:debian-edu-fai Bug #1057129 [release.debian.org] bookworm-pu: package debian-edu-fai/2023.11.19.1~deb12u1 Added indication that 1057129 affects src:debian-edu-fai -- 1057129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057129 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bookworm-pu: package gnutls28/3.7.9-2+deb12u1
Processing control commands: > affects -1 + src:gnutls28 Bug #1057128 [release.debian.org] bookworm-pu: package gnutls28/3.7.9-2+deb12u1 Added indication that 1057128 affects src:gnutls28 -- 1057128: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057128 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1057128: bookworm-pu: package gnutls28/3.7.9-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu Control: affects -1 + src:gnutls28 Hello, I would like to fix CVE-2023-5981 / GNUTLS-SA-2023-10-23 for stable (no DSA forthcoming, to fixed by stable update.) The patch is cherrypicked from upstream 3.8.2 release. Ubuntu's 3.7.8-5ubuntu1.1 has the same patch (except for being U3 instead of U5 format). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.7.9/debian/changelog gnutls28-3.7.9/debian/changelog --- gnutls28-3.7.9/debian/changelog 2023-04-15 13:45:57.0 +0200 +++ gnutls28-3.7.9/debian/changelog 2023-11-30 07:50:48.0 +0100 @@ -1,3 +1,10 @@ +gnutls28 (3.7.9-2+deb12u1) bookworm; urgency=medium + + * Backport fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23 (timing sidechannel +in RSA-PSK key exchange) from 3.8.2. Closes: #1056188 + + -- Andreas Metzler Thu, 30 Nov 2023 07:50:48 +0100 + gnutls28 (3.7.9-2) unstable; urgency=medium * CI: Do not try to run tests/ktls.sh, it uses a helper binary. (Plus gnutls diff -Nru gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch --- gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch 2023-11-30 07:50:48.0 +0100 @@ -0,0 +1,229 @@ +From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 23 Oct 2023 09:26:57 +0900 +Subject: [PATCH] auth/rsa_psk: side-step potential side-channel + +This removes branching that depends on secret data, porting changes +for regular RSA key exchange from +4804febddc2ed958e5ae774de2a8f85edeeff538 and +80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the +allow_wrong_pms as it was used sorely to control debug output +depending on the branching. + +Signed-off-by: Daiki Ueno +--- + lib/auth/rsa.c | 2 +- + lib/auth/rsa_psk.c | 90 ++ + lib/gnutls_int.h | 4 --- + lib/priority.c | 1 - + 4 files changed, 35 insertions(+), 62 deletions(-) + +--- a/lib/auth/rsa.c b/lib/auth/rsa.c +@@ -205,11 +205,11 @@ proc_rsa_client_kx(gnutls_session_t sess + gnutls_privkey_decrypt_data2(session->internals.selected_key, + 0, &ciphertext, session->key.key.data, + session->key.key.size); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +- * channel that can be used as an oracle, so treat very carefully */ ++ * channel that can be used as an oracle, so tread carefully */ + + /* Error handling logic: + * In case decryption fails then don't inform the peer. Just use the + * random key previously generated. (in order to avoid attack against + * pkcs-1 formatting). +--- a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c +@@ -262,18 +262,17 @@ static int + _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + size_t _data_size) + { + gnutls_datum_t username; + psk_auth_info_t info; +- gnutls_datum_t plaintext; + gnutls_datum_t ciphertext; + gnutls_datum_t pwd_psk = { NULL, 0 }; + int ret, dsize; +- int randomize_key = 0; + ssize_t data_size = _data_size; + gnutls_psk_server_credentials_t cred; + gnutls_datum_t premaster_secret = { NULL, 0 }; ++ volatile uint8_t ver_maj, ver_min; + + cred = (gnutls_psk_server_credentials_t) + _gnutls_get_cred(session, GNUTLS_CRD_PSK); + + if (cred == NULL) { +@@ -327,75 +326,53 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + ciphertext.size = dsize; + +- ret = +- gnutls_privkey_decrypt_data(session->internals.selected_key, 0, +- &ciphertext, &plaintext); +- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) { +- /* In case decryption fails then don't inform +- * the peer. Just use a random key. (in order to avoid +- * attack against pkcs-1 formatting). +- */ +- gnutls_assert(); +- _gnutls_debug_log +- ("auth_rsa_psk: Possible PKCS #1 format attack\n"); +- if (ret >= 0) { +- gnutls_free(plaintext.data); +- } +- randomize_key = 1; +- } else { +- /* If the secret was properly formatted, then +- * check the version number. +- */ +- if (_gnutls_get_adv_version_major(session) != +- plaintext.data[0] +- || (session->internals.allow_wrong_pms == 0 +- && _gnutls_get_adv_version_minor(session) !=